Risks

Exploits of this issue on unmitigated appliances have been observed in the wild used by criminals. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to apply the mitigation should upgrade all of their vulnerable appliances to a patched version as soon as possible.

Recommended Actions

Citrix has released updates in Security Bulletin CTX267027. The update patches the directory traversal vulnerability, responsible for the function injection. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the mentioned workarounds. CERT.be recommends to apply the patch as soon as possible. The patches can be downloaded from the Citrix support.

References

1. https://support.citrix.com/article/CTX267027
2. https://support.citrix.com/article/CTX267679
3. https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/
4. https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/
5. https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/
6. https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
7. https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
8. https://www.us-cert.gov/ncas/alerts/aa20-020a
9. https://www.us-cert.gov/ncas/alerts/aa20-031a
10. https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/